search cancel

Verification Of UID(0) Requirement For Started Tasks To Comply With GAO Audit Question And Top Secret

book

Article ID: 189516

calendar_today

Updated On:

Products

Top Secret Top Secret - LDAP WEB ADMINISTRATOR FOR TOP SECRET

Issue/Introduction

Verification Of Mainframe Started tasks that require UID(0) zero

ACID     DESCRIPTION

BBIPAS   BBI PASS MANAGER

CCSSTC   CA7 STARTED TASK ACID

CRON    OMVS/CRON (task scheduler)

FTPA    Kernal Daemon for FTP

MFRSDBS   Orcale10g MFRS DBASE SERVICES

MFRTDBS   Orcale10g MFRT DBASE SERVICES

MVRPDBS   Orcale10g MVRP DBASE SERVICES

MVSTCP   z/OS TCP/IP STC

ORATSTC   ORACLE10G SYT STC ACID

PAGENT                  TCPIP POLICY AGENT

P31BMC                  Mainview

P31MSM                  CA Chorus/MSM

P31NMD                  NETMASTER Report Center

P311DFG                 BATCH/DASD VOLUME CONFIG-DEFRAG

P39SCA7                 CA7 PROD CONTROL BATCH ACID

SSHD2                   SSH TECTIA SERVER

WILYZOS                 WILYZOS STC – CA CROSS Enterprise APM agent

ZFS                     ZFS ACID  (omvs zs file system manager)

Environment

Release : 16.0

Component : CA TOP SECRET

Resolution

The requirement for UID(0) is not a Top Secret requirement. It is product specific. For the Broadcom products in the list:

CCSSTC CA7 STARTED TASK ACID
P39SCA7 CA7 PROD CONTROL BATCH ACID
P31MSM CA Chorus/MSM
P31NMD NETMASTER Report Center

** There isn't anything in the CA WORKLOAD AUTOMATION CA 7® EDITION 12.1 documentation where UID(0) is required. Here are the commands for Top Secret:

CA Workload Automation CA 7 Edition requires an ACID definition to execute under CA Top Secret® security. This definition identifies CA WA CA 7 Edition as a started task, names the procedure from which CA WA CA 7 Edition executes, and associates the CA WA CA 7 Edition facility with the CA WA CA 7 Edition ACID.
This command has the following format:

TSS CREATE(CA7ONL) NAME('CA 7 ONLINE ACID') FAC(STC,BATCH) +
TYPE(USER) PASS(NOPW) DEPT(CA7OPS) MASTFAC(CA7)
TSS PERMIT(CA7ONL) ACID(acid1)

Where acid1 is one of the acids that you want to use for scheduled batch jobs through CA WA CA 7 Edition. Do this for each acid that is used for scheduled batch jobs through CA WA CA 7 Edition.

Though not recommended, if you want to allow the CA7ONL acid to submit jobs under any ACID and not define each separately, add the NOSUBCHK attribute to the CA7ONL ACID.

The following command adds the CA WA CA 7 Edition ACID to the CA Top Secret Started Task facility and identifies the CA WA CA 7 Edition procedure name.

TSS ADDTO(STC) PROCNAME(CA7ONL) ACID(CA7ONL)

Define ICOM to CA Top Secret
The CA Workload Automation CA 7 Edition Independent Communications Manager (ICOM) must also be defined to CA Top Secret®. ICOM handles SMF data for jobs that are submitted through CA WA CA 7 Edition, and therefore requires an ACID to execute in a CA Top Secret secured environment. The following command example may be used to define ICOM to CA Top Secret.
This command has the following format:

TSS CREATE(CA7ICOM) NAME('CA 7 ICOM') FAC(STC) TYPE(USER) +
PASS(NOPW) DEPT(CA7OPS) MASTFAC(CA7)
TSS PERMIT(CA7ICOM) ACID(acid1)

The following command adds the ICOM ACID to the CA Top Secret Started Task Facility and identifies the ICOM procedure name.

TSS ADDTO(STC) PROCNAME(CA7ICOM) ACID(CA7ICOM)

Where acid1 is one of the acids that you want to use for scheduled batch jobs through CA WA CA 7 Edition. Do this for each acid that is used for scheduled batch jobs through CA WA CA 7 Edition.

Though not recommended, if you want to allow the CA7ICOM acid to submit jobs under any ACID and not define each separately, add the NOSUBCHK attribute to the CA7ICOM ACID.

** The following links to Chorus Software Manager (formerly MSM) documentation explain the prerequisites and how to set up CA CSM without UID(0) in Top Secret:

Set Up CA CSM User ID Without UID(0) Prerequisites

Set Up CA CSM User ID Without UID(0) for CA Top Secret for z/OS

** The CA NETMASTER® SHARED CONTENT LIBRARY 12.2 documentation gives the commands (TSS, ACF2, and RACF) to set up the OMVS segments for region STCs:

Set Up OMVS Segment for Region STCs

The TSS command has UID(nnn), which indicates that 0 is not required.

** For the non Broadcom/CA products, check with the product vendor to see if their respective product requires UID(0) on the region acid.